Formatting a new filesystem with ext4 is revealing an issue with util-linux's blkid. # mkfs.ext4 -m 0 /dev/mapper/crypt-squid mke2fs 1.42.12 (29-Aug-2014) Creating filesystem with 131071488 4k blocks and 32768000 inodes Filesystem UUID: 8f2febaa-42cd-4688-944c-7b5e9924bb15 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, 102400000 Allocating group tables: done Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done ---> Jan 8 02:25:59 testbed kernel: [31462.646228] audit: type=1400 audit(1420705559.895:1351): avc: denied { read } for pid=18595 comm="mkfs.ext4" name="blkid.tab" dev="tmpfs" ino=5441676 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=file permissive=1 Jan 8 02:25:59 testbed kernel: [31462.646255] audit: type=1400 audit(1420705559.895:1352): avc: denied { open } for pid=18595 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=5441676 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=file permissive=1 Jan 8 02:25:59 testbed kernel: [31462.646274] audit: type=1400 audit(1420705559.895:1353): avc: denied { getattr } for pid=18595 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=5441676 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=file permissive=1 Jan 8 02:26:00 testbed kernel: [31462.847423] audit: type=1400 audit(1420705560.096:1354): avc: denied { write } for pid=18595 comm="mkfs.ext4" name="blkid.tab" dev="tmpfs" ino=5441676 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=file permissive=1 Jan 8 02:26:00 testbed kernel: [31462.847464] audit: type=1400 audit(1420705560.096:1355): avc: denied { write } for pid=18595 comm="mkfs.ext4" name="blkid" dev="tmpfs" ino=370936 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=dir permissive=1 Jan 8 02:26:00 testbed kernel: [31462.847480] audit: type=1400 audit(1420705560.096:1356): avc: denied { add_name } for pid=18595 comm="mkfs.ext4" name="blkid.tab-ZaM0Am" ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=dir permissive=1 Jan 8 02:26:00 testbed kernel: [31462.847606] audit: type=1400 audit(1420705560.096:1357): avc: denied { create } for pid=18595 comm="mkfs.ext4" name="blkid.tab-ZaM0Am" ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=file permissive=1 Jan 8 02:26:00 testbed kernel: [31462.847733] audit: type=1400 audit(1420705560.096:1358): avc: denied { setattr } for pid=18595 comm="mkfs.ext4" name="blkid.tab-ZaM0Am" dev="tmpfs" ino=12040320 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=file permissive=1 Jan 8 02:26:00 testbed kernel: [31462.847925] audit: type=1400 audit(1420705560.097:1359): avc: denied { remove_name } for pid=18595 comm="mkfs.ext4" name="blkid.tab.old" dev="tmpfs" ino=5439904 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=dir permissive=1 Jan 8 02:26:00 testbed kernel: [31462.847941] audit: type=1400 audit(1420705560.097:1360): avc: denied { unlink } for pid=18595 comm="mkfs.ext4" name="blkid.tab.old" dev="tmpfs" ino=5439904 ipaddr=173.173.113.156 scontext=root:sysadm_r:fsadm_t tcontext=root:object_r:var_run_t tclass=file permissive=1 The denial spew summarized is that when you run mkfs.ext4, it loads up /sbin/blkid (from sys-apps/util-linux) in the background. I am somewhat fuzzy as to the reason for this, but my best guesstimate is that mke2fs uses this tool for various things like UUID determination, whether a block device is formatted, whatever. When mke2fs runs blkid, it generates output in /var/run/blkid. However this output is more in the sense of a temp file rather than an actual lock/pid file. I am of two minds with this. On one hand, fixing this so that it has permission to manage junk in /run/blkid is relatively straight forward and safe. On the other hand, it should not be using /run as a standin for /tmp. I'm leaning towards more 'yelling for upstream to fix this' rather than 'adjust selinux to support bad application choices'.
I decided to send this upstream. i made a filetrans for fsadm_run_t. I assume other fsadm tools will use /run too since everything seems to be migrating there.
in git, will be in -r6
r6 policy is in ~arch
Now stable